Overview

Vulnerability scanning is a process of remotely examining hosts on a network for known, detectable vulnerabilities and misconfigurations. The types of vulnerabilities found depend on the scanner used, the way the scanner is configured (the "scan policy"), and the amount of information the target host or network reveals to the scanner. In a typical network vulnerability scan, the scanner will attempt to connect to hosts in the target network in various ways to determine which ones are responsive ("host discovery"). Discovered hosts are subsequently interrogated to find open ports for the scanner to probe ("port scanning"). Any open ports will be tested for specific vulnerabilities that match the type of service detected on that port. Since many tests rely on self-reporting by the host (such as software version numbers reported by the host), there is a potential for false positives and false negatives in any scan. One way to address this is through credentialed scanning, where the scanner is provided with an account to log in to the target host and directly query the status and configuration of the operating system and installed software.

Scans Offered

Monthly Scanning Service

IIA offers a free monthly scanning service to units that would like regular scans of their networks without the cost of maintaining their own local scanning infrastructure. This service is an appropriate option for networks that are accessible from campus, or where the scanner can be allowed through a firewall.

The monthly scanning service is free to U-M units, and offers:

Nessus scans at a time and frequency of your choice

Use of our tested scan policy, customized to fit your needs

Scan reports automatically emailed to your choice of contacts at the conclusion of the scan

Units may use the service to scan U-M-owned networks that are reachable from IIA's scanning server. For networks that are not normally reachable due to a firewall, an exception would need to be created for the scanner in order to obtain full visibility of the target network.

Quarterly Vulnerability Scans

IIA conducts quarterly vulnerability scans of the entire network address space registered to the University of Michigan. These scans are included in IT Security Essential, a suite of services provided by IIA to protect university IT resources. The scans come from a scanner positioned outside the university to give units the perspective of what an attacker can see from outside university networks. Detailed vulnerability reports are provided to the identified contact person in a unit (as listed in the ITS Network Information Database—NetInfo) with the expectation that corrective actions will be taken.

Scans for Recent Vulnerabilities

IIA occasionally performs very narrowly-targeted scans of all campus networks to find high-risk vulnerabilities that pose an imminent threat. When this occurs, an e-mail notification will be sent to network administration lists such as FLN to advise of the scope and timing of the scan.

IIA performs network vulnerability scans using the Nessus vulnerability scanner. When campus-wide scans are performed, every effort will be made to notify network owners in advance. Units that observe unexpected scan traffic may contact security@umich.edu with the relevant source and target IP address to determine whether an IIA scan is the root cause.

Vulnerability Scanning Tools for Units

IIA does not provide licenses to units for specific vulnerability scanners. If a unit would like to perform regular vulnerability scans, we recommend first evaluating the IIA monthly scanning service to see if it will meet those needs.

For units that wish to perform scans of large private networks:

IIA recommends the Nessus vulnerability scanner. The Nessus scanner can be downloaded and installed for free, but requires the purchase of a ProfessionalFeed subscription to obtain access to the plugins that check for vulnerabilities. A one-year subscription is $1,500 and can be purchased through Tenable Network Security.

Frequently Asked Questions About the Monthly Scanning Service

The quarterly vulnerability scan looks at the entire U-M network space from an external Internet location. It was designed to test for a subset of vulnerabilities that are remotely exploitable, require no authentication, impact confidentiality or integrity, and are considered high or medium in severity. In addition, the quarterly scan only checks a list of commonly-observed ports to find services to test, and is performed from an Internet address outside of the campus network (which limits the scanner's visibility). Since the quarterly scan is performed on a very large scale from the Internet, it cannot provide as accurate a vulnerability assessment as one generated by a more local customized scan. By contrast, the monthly scan by default runs all safe tests available in Nessus, probes a much larger number of ports, and is conducted from a server on the campus network.

Any U-M-owned network can be scanned. Any type of host or device that is assigned an IPv4 address on the target network can be scanned, although the level of testing possible will depend on the specifics of the host. At this time, we do not offer IPv6 scanning or scanning of U-M-owned hosts that reside on non-U-M networks (such as at other universities or in third-party data centers).

Hosts that have a history of outages as the result of peaks in traffic

IIA's default scan policy is configured to stop scanning hosts if the scanner identifies them as printers or Netware devices. For other types of devices listed above, the scan policy can be modified to scan more slowly overall or exclude specific IP addresses from the scan. Running one or more test scans during off-peak hours may help determine if there are hosts that will be adversely impacted. IIA will work with subscribers to determine the best unit-specific scanning option.

Yes! However, if you want the scanner to have full visibility into your network, you will need to add an exception for the scanner's IP address. A special policy will be developed for your scan that accounts for crossing the firewall, and testing will take place in advance of scheduling your scan to mitigate the risk of performance degradation while scanning.

The scan policy can be configured to your needs. When making your request for a new scan, include details of your requirements, and the analyst assigned to assist will determine whether Nessus is able to support those natively.

A non-credentialed baseline policy is used as a starting point for new scans that enables all safe tests (plugins), discovers hosts with a TCP and ICMP ping scan, performs a TCP port scan and an SNMP scan, enables CGI scanning, and uses conservative defaults for most settings. From there, IIA can configure the policy to fit your needs.

The default scan policy does not include credentialed scanning, compliance checks (such as for PCI-DSS), or web application tests. If you are interested in any of these options, be sure to note it in your scan request.

Credentialed scanning is supported. We recommend credentialed scans in cases where the impact of non-credentialed scanning to the network or host would be undesirable. Credentialed scans may also be preferred on hosts that have few ports/services open, or when determining the status of installed client software is a priority.